Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
888b0cc7 by Moritz Muehlenhoff at 2020-01-21T23:25:49+01:00
Further libstb triage
Remove preliminary NOTEs, bugs will be filed to address the embedded code
copies, but there's no need to treat any of the current embeds as security
issues in the packages embedding them.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1822,35 +1822,29 @@ CVE-2020-6623 (stb stb_truetype.h through 1.22 has an
assertion failure in stbtt
NOTE: https://github.com/nothings/stb/issues/865
NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa,
godot, dart
CVE-2020-6622 (stb stb_truetype.h through 1.22 has a heap-based buffer
over-read in s ...)
- - libstb <unfixed> (low)
+ - libstb <unfixed> (low; bug #949559)
[buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/869
- NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa,
godot, dart
CVE-2020-6621 (stb stb_truetype.h through 1.22 has a heap-based buffer
over-read in t ...)
- - libstb <unfixed> (low)
+ - libstb <unfixed> (low; bug #949558)
[buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/867
- NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa,
godot, dart
CVE-2020-6620 (stb stb_truetype.h through 1.22 has a heap-based buffer
over-read in s ...)
- - libstb <unfixed> (low)
+ - libstb <unfixed> (low; bug #949557)
[buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/868
- NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa,
godot, dart
CVE-2020-6619 (stb stb_truetype.h through 1.22 has an assertion failure in
stbtt__buf ...)
- - libstb <unfixed> (low)
+ - libstb <unfixed> (low; bug #949556)
[buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/863
- NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa,
godot, dart
CVE-2020-6618 (stb stb_truetype.h through 1.22 has a heap-based buffer
over-read in s ...)
- - libstb <unfixed> (low)
+ - libstb <unfixed> (low; bug #949555)
[buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/866
- NOTE: Potentially affects mesa, libstb, embree, zynaddsubfx, qemu,
godot, sumo, libtcod, box2d, goxel, mame, u-boot, retroarch, dart, zam-plugins,
renderdoc
CVE-2020-6617 (stb stb_truetype.h through 1.22 has an assertion failure in
stbtt__cff ...)
- - libstb <unfixed> (low)
+ - libstb <unfixed> (low; bug #949554)
[buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/867
- NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa,
godot, dart
CVE-2020-6616
RESERVED
CVE-2020-6615 (GNU LibreDWG 0.9.3.2564 has an invalid pointer dereference in
dwg_dyna ...)
@@ -69818,11 +69812,9 @@ CVE-2018-19756 (There is a heap-based buffer over-read
at stb_image.h (function:
[buster] - libsixel 1.8.2-1+deb10u1
[stretch] - libsixel <no-dsa> (Minor issue)
[jessie] - libsixel <not-affected> (The vulnerable code is not present)
- - libstb <unfixed> (low)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/saitoha/libsixel/issues/80
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649198 (reproducer)
- NOTE: Pontentially affects mame, libsfml, love, zynaddsubfx, yquake2,
ccextractor, zam-plugins, osgearth, catimg, darknet, gem, retroarch, renderdoc,
goxel
+ NOTE: CVE description is misleading, not an issue in libstb
CVE-2018-19755 (There is an illegal address access at asm/preproc.c (function:
is_mmac ...)
- nasm <unfixed> (unimportant; bug #915087)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392528
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/888b0cc71f33ccf334d89202d12bb29c4df340c3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/888b0cc71f33ccf334d89202d12bb29c4df340c3
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
